Prerequisites

SSSD 1.12.0 or later. This is available on Red Hat Enterprise Linux 7.0 and
later.

mod_lookup_identity 0.9.4 or later.

The required version is not yet available on any version of Red Hat Enterprise
Linux. However, compatible packages (RPMs) are
available from
upstream until they arrive in Red Hat Enterprise Linux.

Configuring SSSD

You need to ask System Security Services Daemon (SSSD) to look up attributes in
LDAP that it normally does not care about for simple system-login use-cases. In
the case of OpenShift Enterprise, there is only one such attribute: email. So, you need to:

Modify the [domain/DOMAINNAME] section of /etc/sssd/sssd.conf on the
authenticating proxy and add this attribute:

[domain/example.com]
...
ldap_user_extra_attrs = mail

Tell SSSD that it is acceptable for this attribute to be retrieved by
Apache. Add the following two lines to the [ifp] section of
/etc/sssd/sssd.conf:

[ifp]
user_attributes = +mail
allowed_uids = apache, root

Restart SSSD:

# systemctl restart sssd.service

Test this configuration.

Configuring Apache

Now that SSSD is set up and successfully serving extended attributes, configure
the web server to ask for them and to insert them in the correct places.

Enable the module to be loaded by Apache. To do so, modify
/etc/httpd/conf.modules.d/55-lookup_identity.conf and uncomment the line:

LoadModule lookup_identity_module modules/mod_lookup_identity.so

Set an SELinux boolean so that SElinux allows Apache to connect to SSSD over
D-BUS:

# setsebool -P httpd_dbus_sssd on

Edit /etc/httpd/conf.d/openshift-proxy.conf and add the following
lines inside the <ProxyMatch /oauth/authorize> section:

Launch OpenShift Enterprise with this updated configuration and log in to the web as
a new user.

You should see their full name appear in the upper-right of the
screen. You can also verify with oc get identities -o yaml that both email
addresses and full names are available.

Debugging Notes

Currently, OpenShift Enterprise only saves these attributes to the user at the time
of the first login and does not update them again after that. So, while you are
testing (and only while testing), run oc delete users,identities --all to
clear the identities out so you can log in again.